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Related Application 

[0001] This application hereby claims priority under 35 U.S.C. §119 to a 
Provisional Patent Application entitled, "Security Mechanisms in a Network 
Environment " filed August 3 1, 2001 by inventors Arun Swaminathan, 
Kamalendu Biswas, and Gaurav Bhatia (Application No. 60/3 16,808). 

BACKGROUND 

Field of the Invention 

[0002] The present invention relates to network-based computer 
applications. More specifically, the present invention relates to a method and an 
apparatus that facilitates associating lockouts with a user identifier for accessing 
network applications. 
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1 I 

Related Art 

[0003] Modem Enterprise computing systems distribute computer 
application programs across application servers accessible across a network such 
as the World Wide Web. Typically, these application programs require a user to 
5 authenticate prior to allowing the user to access the application. Many of these 
web-based computer applications rely on password-based authentication. 

[0004] Password based authentication depends upon using a limited length 
password selected from a known character set. It is possible, therefore, for an 
adversary to mount a brute force attack by exhaustively trying different passwords 
10 to gain unauthorized entry to the application. Administrators employ many 
techniques to counter this threat, such as forcing a user to change the password 
•j 3 periodically, requiring a minimum length password, requiring a complex 

=;p password, and the like. 

m [0005] These techniques do not, however, obviate a brute force attack on 

li 15 the system. The system can, however, deny entry during a brute force attack by 

't MS? 

imposing a lockout on the account being attacked. A brute force attack can be 
i 2 detected by observing a specified number of unsuccessful attempts to access the 

j;!;^ application v^th an incorrect password. When a brute force attack is detected, the 

Q system prevents the user's account from accessing the application for a specified 

20 amount of time, or until an administrator unlocks the user's account. 

[0006] While effective at preventing unauthorized entry into the 
application, a lockout has the undesired effect of locking out the legitimate user of 
the account until the account has been reset— either automatically or by the 
administrator. This constitutes a denial-of-service attack where an adversary can 
25 prevent the legitimate user from accessing the application. 
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[0007] What is needed is a method and an apparatus that facilitates 
allowing a legitimate user of an account to access a web-based application while 
preventing a denial of service attack from an adversary. 

SUMMARY 

[0008] One embodiment of the present invention provides a system that 
facilitates locking an adversary out of a network application. The system operates 
by first receiving a request at a server, which includes an authentication credential, 
to access the network application. This authentication credential includes a user 
identifier associated with a user and a network address of a user device. The 
system next examines an audit log to determine if the user identifier has been 
locked out from the network address of the user device. If so, the system denies 
access to the network application. Otherwise, the system checks the 
authentication credential for validity. If the authentication credential is valid, the 
system allows access to the network application. Otherwise, the system logs a 
failed attempt in the audit log and denies access to the network application. After 
a threshold number of failed attempts, the user identifier is locked out from the 
network address. 

[0009] In one embodiment of the present invention, the system imposes a 
global lockout for the user identifier after a threshold number of network 
addresses are locked out for the user identifier. 

[0010] In one embodiment of the present invention, the system removes a 
lockout after a predetermined period of time. 

[0011] In one embodiment of the present invention, an administrator of 
the server manually removes a lockout. 

[0012] In one embodiment of the present invention, the authentication 
credential includes a user name and a password. 
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[00131 In one embodiment of the present invention, checking the 
authentication credential for validity involves verifying that an administrator has 
authorized access to the network application for a combination of the user name 
and the password, and determining if the request violates an access rule in a rule 
5 table. 

In one embodiment of the present invention, the access rule can specify an 
allowed time-of-day, an allowed number of attempts, an allowed network address, 
and an allowed network domain. 

[0014] In one embodiment of the present invention, the network address 
1 0 includes an Internet Protocol address. 

BRIEF DESCRIPTION OF THE FIGURES 
[0015] FIG. 1 illustrates computer systems coupled together in accordance 
with an embodiment of the present invention. 
1 5 [0016] FIG. 2 illustrates appUcation server 1 1 0 in accordance with an 

embodiment of the present invention. 

[0017] FIG. 3 illustrates authentication module 206 in accordance with an 
embodiment of the present invention. 

[0018] FIG. 4 is a flowchart illustrating the process of accessing a network 
20 application in accordance with an embodiment of the present invention. 



DETAILED DESCRIPTION 
[0019] The following description is presented to enable any person skilled 
in the art to make and use the invention, and is provided in the context of a parti- 
25 cular application and its requirements. Various modifications to the disclosed 
embodiments will be readily apparent to those skilled in the art, and the general 
principles defined herein may be applied to other embodiments and applications 
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without departing from the spirit and scope of the present invention. Thus, the 
present invention is not intended to be Umited to the embodiments shown, but is 
to be accorded the widest scope consistent with the principles and features 
disclosed herein. 

[0020] The data structures and code described in this detailed description 
are typically stored on a computer readable storage medium, which may be any 
device or medium that can store code and/or data for use by a computer system. 
This includes, but is not hmited to, magnetic and optical storage devices such as 
disk drives, magnetic tape, CDs (compact discs) and DVDs (digital versatile discs 
or digital video discs), and computer instruction signals embodied in a 
transmission medium (with or without a carrier wave upon which the signals are 
modulated). For example, the transmission medium may include a 
communications network, such as the Internet. 

Computer Systems 

[0021] FIG. 1 illustrates computer systems coupled together in accordance 
with an embodiment of the present invention. The system illustrated in FIG. 1 
includes computers 104, 106, 1 12, 1 14, and 1 16 and application server 1 10 
coupled together by network 108. Computers 104, 106, 1 12, 1 14, and 116 and 
application server 1 10 can generally include any type of computer system, 
including, but not limited to, a computer system based on a microprocessor, a 
mainframe computer, a digital signal processor, a portable computing device, a 
personal organizer, a device controller, and a computational engine v^thin an 
appliance. Note that the system is not limited to the number of computers and 
application servers shown and can generally include any number of computers and 
application servers. 
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[0022] Network 108 can generally include any type of wire or wireless 
communication channel capable of coupling together computing nodes. This 
includes, but is not limited to, a local area network, a wide area network, or a 
combination of networks. In one embodiment of the present invention, network 
5 108 includes the Internet. 

[0023] Administrator 122 controls access to application server 1 10, and to 
the applications stored thereon, by identifying authorized user name/password 
combinations and by establishing access rules such as allowed time-of-day, 
allowed number of access attempts, allowed network addresses, and allowed 
1 0 network domains. 

[0024] User 102 is authorized access to the applications on application 
13 server 1 10 by administrator 122. User 102 typically accesses application server 

110 through computer 104 and computer 106. However, user 102 may be 
authorized to use other computers as well. 
15 [0025] Adversary 120 may attempt to access the applications on server 

1 10 by masquerading as user 102 using a computer such as computer 1 12, 1 14, or 
116. After a threshold number of failed attempts to access these applications, the 

r. .X 

system locks out the user identifier from whichever of computers 112, 1 14, or 1 16 
is being used. This lockout is based on the user identifier and the network address 

20 of the computer. Typically, the network address is the Internet protocol (IP) 
address of the computer. Note that denying access to the user identifier from a 
specific IP address does not deny access to the user from another computer, say 
computer 104. Note also that the system may impose a global lockout for the user 
identifier after a threshold number of IP addresses have been locked out for the 

25 user identifier. 

[0026] After the user identifier has been locked out, either globally or by 
IP address, the system may, at the discretion of administrator 122, automatically 
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remove the lockout after a period of time or administrator 122 may remove the 
lockout manually. 

Application Server 110 

[0027] FIG. 2 illustrates application server 110 in accordance with an 
embodiment of the present invention. Application server 110 includes application 
202, listener 204, and authentication module 206. Application 202 is a network 
application such as e-mail, database services, and the like. Application server 110 
may include more than one application. 

[0028] Listener 204 monitors access requests from network 108 for 
application 202. When listener 204 detects a new request, the request is routed to 
authentication module 206 to check for lockout and for valid authentication. 
Authentication module 206 determines whether the accessing IP address has been 
locked out and whether the user identifier is authorized to access application 202 
according to access rules established by administrator 122. Authentication 
module 206 processes the access request as described below in conjunction with 
FIGs. 3 and 4. 

Authentication Module 206 

[0029] FIG. 3 illustrates authentication module 206 in accordance with an 
embodiment of the present invention. Authentication module 206 includes audit 
module 302, evaluation engine 304, lockout module 306, and administration 
module 308. Authentication module 206 is coupled to database 310 for access to 
various tables and files related to authenticating an access request for application 
202. Database 310 includes audit log 312 and access rules 314. 

[0030] Audit module 302 logs access attempts and disposition of these 
access attempts in audit log 3 12. Audit log 312 is used to store the user identifier 
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and the Internet protocol (IP) address associated with the access attempt. Lockout 
module 306 prevents accesses from an IP address for a specific user identifier 
after a threshold number of failed access attempts take place from that IP address 
for the specific user identifier. Additionally, lockout module 306 can globally 
5 lock out a user identifier after a threshold number of IP addresses have been 
locked out for the specific user identifier. 

[0031] If the user identifier has not been locked out for the IP address 
associated with an access attempt, evaluation engine 304 determines if the access 
request is valid. Evaluation engine 304 uses the user identifier and password to 
10 determine if the user associated with the user identifier is authorized to access 

application 202. Evaluation engine 304 also inspects the access rules to determine 
if the access request violates any of these access rules. These access rules can 
include allowed time-of-day, allowed number of access attempts, allowed network 

s '. 5 

fi addresses, allowed network domains, and the like. If none of the access rules 

O 15 have been violated and if the access credentials are valid, authentication module 

^' 206 grants access to application 202. Otherwise, access is denied. In either case, 

) f an entry is made in audit log 3 1 2 by audit module 302 to record the disposition of 

If the access request. 

Q [0032] Administrator 122 uses administration module 308 to establish 

^ 20 accounts on application server 110 and to specify the rules within access rules 
314. Administrator 122 also uses administration module 308 to establish the 
method of recovery from a lockout and to manually remove active lockouts from 
the system. 

25 Accessing a Network Application 

[0033] FIG. 4 is a flowchart illustrating the process of accessing a network 
application in accordance with an embodiment of the present invention. The 
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system starts when application server 110 receives a request for access to 
application 202 (step 402). In response to this request, audit module 302 within 
authentication module 206 accesses information from audit log 312 on database 
310 (step 404). 

[0034] From this information, audit module 302 determines if the user 
identifier within the access request has been globally locked out from accessing 
application 202 (step 406). Note that the user identifier can be globally locked out 
after a threshold number of Intemet protocol (IP) addresses have been locked out 
for the user identifier. 

[0035] If the user identifier has not been globally locked out, audit module 
302 determines of the user identifier has been locked out for the specific IP 
address associated with the access request (step 408). Note that the specific IP 
address can be locked out after a threshold number of failed access requests have 
originated from that IP address. 

[0036] If the user identifier has not been locked out from the specific IP 
address, evaluation engine 304 checks the authentication data against access rules 
314 (step 410). Evaluation engine 304 then determines if the user is authorized to 
access application 202 (step 412). If so, audit module 302 enters the successfiil 
access attempt in audit log 312 (step 414). Next, authentication module 206 
grants access to user 102 (step 416). 

[0037] If the user is globally locked out at step 406, or if the user is locked 
out from the specific IP address at step 408, or if the user is not authorized to 
access application 202 at step 412, audit module 302 logs the failed access 
attempt, including the IP address of the computer, in audit log 312 (step 418). 
Finally, authentication module 206 denies access to adversary 120 (step 420), 

[0038] The foregoing descriptions of embodiments of the present 
invention have been presented for purposes of illustration and description only. 
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They are not intended to be exhaustive or to hmit the present invention to the 
forms disclosed. Accordingly, many modifications and variations will be apparent 
to practitioners skilled in the art. Additionally, the above disclosure is not 
intended to limit the present invention. The scope of the present invention is 
defined by the appended claims. 
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